Will's Random Thoughts on Exchange, AD, PowerShell …

Setup U-Turn (Hairpinning) on Cisco ASA

U-Turn (Hairpinning with static NAT) is used for making the outside interface (the one that points to the Internet) of an ASA device available to inside users. Let’s say you have enabled inbound http traffic on the outside interface, such as Static NAT to an inside Web server. By default, inside users wouldn’t be able to connect to that port on the outside interface, the ASA device wouldn’t have a path to route the traffic properly.

This is a when the U-Turn feature comes into play. It enables the ASA device to route traffic from inside users the same way as if the traffic would come from outside.

Caution: Carefully consider the expected amount of traffic and the capabilities of your ASA device before you implement this solution, because it involves sending all traffic between the client and the Web server through the ASA device.

Step 1: Enabling traffic of same security level to pass

same-security-traffic permit intra-interfaceThis command enables traffic of the same security level to transit the ASA device. The permit intra-interface keyword allows that same-security-traffic to enter and leave the same interface, thus hairpinning is enabled.

Step 2: Enabling hairpinned client access through ASA device

global (inside) 1 interface
All traffic that crosses the security appliance must undergo NAT. This command uses the inside interface address of the security appliance in order to enable traffic that enters the inside interface to undergo PAT as it is hairpinned back out the inside interface.

Step 3: Create static NAT entry

static (inside,inside) {IP address of outside interface} {IP address of Web server} netmask 255.255.255.255
This static NAT entry creates a second mapping for the public IP address of the WWW server. However, unlike the first static NAT entry that you have already in place, this time the internal address of the Web server is mapped to the inside interface of the ASA device. This allows the ASA to respond to requests that it sees for this address on the inside interface. Then, it redirects those requests to the real address of the Web server through itself.

Step 1 and 2 need to be done only once, as they are global statements. If you require U-Turn setup for multiple services, repeat step 3 for each of them.